Add change and release note for [#2375]

News worthy.

(cherry picked from commit 7947f7f9c606c5545862f6ab1d590c16cd283197)

diff --git a/CHANGES b/CHANGES
index 2e838ab331750e2b8fab836483664ab1b91b789f..dd8a34e0863fa5135809c73d4513753add7a3c72 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5577.  [bug]           Fix the "three is a crowd" key rollover bug in
+                       dnssec-policy by correctly implementing Equation(2) of
+                       the "Flexible and Robust Key Rollover" paper. [GL #2375]
+
 5575.  [bug]           When migrating to dnssec-policy, BIND considered keys
                        with the "Inactive" and/or "Delete" timing metadata as
                        possible active keys. This has been fixed. [GL #2406]

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 8f4828da3ac117613395b55ae6fb42688532fbea..64fd38fb908434a598dcf85d216217c9a227db22 100644 (file)
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -95,3 +95,11 @@ Bug Fixes
 - When migrating to ``dnssec-policy``, BIND considered keys with the "Inactive"
   and/or "Delete" timing metadata as possible active keys. This has been fixed.
   [GL #2406]
+
+- Fix the "three is a crowd" key rollover bug in ``dnssec-policy``. When keys
+  rolled faster than the time required to finish the rollover procedure, the
+  successor relation equation failed because it assumed only two keys were
+  taking part in a rollover. This could lead to premature removal of
+  predecessor keys. BIND 9 now implements a recursive successor relation, as
+  described in the paper "Flexible and Robust Key Rollover" (Equation (2)).
+  [GL #2375]